RE: ftp forward to internal machine

[Omar Castaneda Acosta]

Why do you have 2 PREROUTING chains?   These chains are correct, be sure your ftp NAT modules are loaded with lsmod (ip_conntrack_ftp & ip_nat_ftp)   FTPSERVER=192.168.2.5 SERVICE=21 INTIP=192.168.2.254 EXTIP=1.2.3.4   # # Let’s forward traffic with destination $EXTIP to somewhere else, you can discard the –i $EXTIF if you want # other interfaces to access the service # $IPTABLES –A PREROUTING –t nat –i $EXTIF –p tcp –d $EXTIP –-dport $SERVICE –j DNAT –-to-destination $FTPSERVER # # Not really necessary if the default gateway on the FTP server is the INTIP on the firewall # $IPTABLES –A POSTROUTING –t nat –o $INTIF –p tcp –d $FTPSERVER –-dport $SERVICE –j SNAT –-to-source $INTIP # # A MUST, unless your FORWARD policy is default to ACCEPT # $IPTABLES –A FORWARD –i $EXTIF –o $EXTIF –p tcp –-dport $SERVICE –m state –-state NEW,ESTABLISHED,RELATED –j ACCEPT # # Just in case your INTERNAL policy is default to DROP # $IPTABLES –A FORWARD –o $EXTIF –i $EXTIF –p tcp –-dport $SERVICE –m state –-state ESTABLISHED,RELATED –j ACCEPT   -- Omar   -----Original Message----- From: Travis Crook [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 4:00 PM To: [EMAIL PROTECTED] Subject: ftp forward to internal machine   Hello everyone,     I have a firewall configured to forward port 80 traffic to an internal machine.  I was wondering if the same thing is possible with ftp traffic.  The rules I am using are as follows:   iptables -A PREROUTING -t nat -i EXTINF -p tcp -d 1.2.3.4 --dport 21 -j DNAT --to 192.168.2.5:21   iptables -A FORWARD -i EXTINF -p tcp -d 192.168.2.5 --dport 21 ACCEPT   iptables -A FORWARD -i EXTINF -o INTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT   iptables -t nat -A PREROUTING -i EXTINF -p tcp --dport 21 -d 1.2.3.4 -j DNAT --to-destination 192.168.2.5:21   iptables -t nat -A POSTROUTING -o INTIF -p tcp --dport 21 -d 192.168.2.5 -j SNAT --to-source 192.168.2.254   I can connect to the ftp server but then I cannot establish a data channel between the client and the server.   Any help would be appreciated.  If you want to see output of anything I can include it.   Thanks   Travis Crook Visions Beyond